Random number generation method

ABSTRACT

A random number generator is implemented within a digital processor by: a) searching an internal timestamp register which counts clock pulses for sequencing the processor; b) extracting at a given time n bits from the least significant bits of the register, n&gt;1; c) using the n bits extracted at step b) as constituent bit(s) of a N-bit random number ( 34 ) to be generated; d) reiterating steps a) to c) until obtaining the N bits of the random number; and e) providing the random number to an application circuit or software.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35 U.S.C. § 119(a) to France patent application FR2105603 filed on May 28, 2021, the entire teachings of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION Field of the Invention

The present invention relates to random number generation in a computing device.

Description of the Related Art

Many techniques require random numbers, especially in the field of cryptography when it comes to implementing high-security encryption algorithms such as AES, RSA, Diffie-Hellman, etc. But random number draws are used in many other domains, such as games of chance, or also probabilistic modeling techniques or sample selection for statistical purposes.

There are multiple ways to generate random numbers, with variable levels of entropy, entropy being defined as the measure of the effective degree of randomness (lack of deterministic nature and predictability in the draw) of the generated value.

In some cases, it may be sufficient to generate “pseudo-random” numbers, i.e. numbers that are obtained by a method that is deterministic but that produces values sufficiently independent of each other to satisfy the needs of the considered applications: for example, modeling algorithms using probabilistic techniques, or statistical purpose sampling methods.

On the other hand, particularly in the case of data encryption, it is essential that no detectable link exists between successive numbers in the series of random numbers provided by the generator, that is to say that the numbers produced are absolutely impossible to predict.

The methods for generating random (and not simply pseudo-random) numbers that have been used up to now are mainly based on physical, material phenomena (for example a thermal or electromagnetic noise) or on an unpredictable interaction with a user, for example the erratic movements of a mouse, which are neither cyclic nor deterministic.

These generators provide very-high-entropy random numbers but have for drawback to be relatively complex, because they require hardware circuitry for collecting the physical phenomenon or the interaction with the user, analog-to-digital converter circuits, an algorithmic module for generating the random digital value, etc.

Moreover, they are poorly suited to the generation of very large random numbers (several tens or hundreds of bits), except at the cost of an excessively long response time between the request for obtaining the random number and the effective delivery of the result by the generator.

Now, the most recent high-security encryption applications require very fast generation of long and high-entropy random numbers.

The article of Marton K et al., “Randomness Assessment of an Unpredictable Random Number Generator based on hardware Performance Counters”, Romanian Journal of Information Science and Technology, Vol. 20, No. 2, 2017, 136-160, proposes a (pseudo-)random number generation technique consisting in sampling the content of one (or several) of the hardware performance counter(s) of a processor and in using the sampling result as a source of unpredictable random value.

The hardware performance counters are dedicated registers present in recent microprocessors, used for performance monitoring of the processor in operation. These counters count events (in the computer sense of the term) in relation with the activity of the processor: successful or missed cache accesses, instruction pipeline progress, etc. or also durations for which a given condition remains ‘true’, by counting the number of CPU cycles elapsed until this condition changes.

The highly unpredictable nature of evolution of these counters, linked to multiple and very changing states of the processor operation, induces a high entropy allowing the generation of random number sequences. In other words, the random nature of the register content is attributed to the system entropy and to the multitude of processes and threads executed simultaneously.

However, this technique is not immune to phenomena such as: cyclic evolutions of the processor states, repetitive operating sequences, iterations, etc. To address this risk, the above-mentioned article of Marton et al. describes how to operate a “calibration” of the random number generator by “randomness assessment” of the sequences produced for various settings of the generator, making it possible to select the configurations that provide the best entropy.

Consequently, implementation of this technique requires a calibration of the generator to reduce the effect of all the potential operating biases, and to ensure that the (pseudo-)random number generation will be made with the desired level of entropy.

BRIEF SUMMARY OF THE INVENTION

The object of the invention is to remedy these difficulties and limitations, by proposing a random number generation technique offering, simultaneously:

-   -   a very great simplicity of implementation, without the use of         any hardware circuity;     -   the absence of any potential bias in the generation of the         random numbers, these latter having no deterministic link         between each other;     -   the immediate guarantee of an optimum operation with a maximum         entropy, with no use of a previous calibration;     -   the possibility of providing at a very high rate random numbers         as long as desired; and     -   the possibility, in certain implementations, of making the         proper operation of the random generator dependent on a         higher-level parameter, itself randomly changed at each         iteration of the process, that is to say with a double degree of         randomness for each number obtained.

The basic idea of the invention consists in using as a source a register whose content changes in an a priori totally deterministic and predictable way, and carrying the random nature of the random number generation operation over to the moment when this register will be read.

More precisely, the invention proposes to use as a source register the timestamp register that counts the clock pulses sequencing the processor, which register is located downstream the crystal oscillator of the processor and which thus evolves, intrinsically, in a purely deterministic way over time, without any potential bias such as those explained hereinabove.

In particular, the content of this timestamp register is not subject to the same variations as the CPU cycles, whose repetition rate may vary in particular according to the CPU operating mode: “overclocking” or “turbo” mode, in which the frequency is increased, or conversely “underclocking” mode, in which the frequency is reduced for power saving purposes or for putting the computer into hibernation.

On the other hand, the counting of the processor sequencing clock pulses, i.e. of the oscillator beats or “ticks”, is an invariant and perfectly determinable function, depending on nothing but the passage of time. This counting feeds a register with a value of very low entropy, which is in constant and linear evolution, non-random and independent of the state of the system or of the number of processes or threads in execution, in such a way that successive readings of the register would provide only incremental linear variations.

The invention proposes to use this intrinsically deterministic source (the clock pulse counting)—thus immune to any potential bias—to generate a random number, the randomness residing only in the non-deterministic nature of the moment when the counter (and more precisely the last bit(s) thereof) is read. It is indeed impossible to determine this moment in advance due to the multitude of tasks, threads and events executed concomitantly by the system.

In other words, this is not the register content that makes the register reading result random, but the indeterminacy of the moment of this reading.

For that purpose, the invention proposes, more precisely, a random number generation method implemented by means of a digital processor, includes: a) searching an internal timestamp register which counts clock pulses for sequencing the processor; b) extracting at a given time n bits from the least significant bits of the register, n ,â⋅ 1; c) using the n bits extracted at step b) as constituent bit(s) of a N-bit random number (34) to be generated; d) reiterating steps a) to c) until obtaining the N bits of the random number; and e) providing the random number to an application circuit or software.

According to various advantageous subsidiary embodiments:

-   -   the timestamp register (30) is a register counting pulses         directly outputted from an oscillator (26) of the clock;     -   steps a) to d) are carried out within a firmware of the         processor;     -   the n bits extracted at step b) are the least significant bit(s)         of the timestamp register;     -   n=1 and the bit extracted at step b) is the least significant         bit of the timestamp register;     -   the given time of extraction of the n bits at step b) is a time         controlled by a random or pseudo-random generator; and/or     -   the given time of extraction of the n bits at step b) is a time         determined in response to a request received from the         application circuit or software.

Additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The aspects of the invention will be realized and attained by means of the elements and combinations particularly pointed out in the appended claims. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute part of this specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention. The embodiments illustrated herein are presently preferred, it being understood, however, that the invention is not limited to the precise arrangements and instrumentalities shown, wherein:

FIG. 1 schematically illustrates a digital processor with the various blocks to which it is interfaced, the whole being used for implementing the method of the invention.

FIG. 2 explains how to generate a random number by searching a register of the system of FIG. 1 .

FIG. 3 is a block diagram showing the successive steps of implementation of the method of the invention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 schematically shows a per se conventional architecture of a system with a digital processor.

A microprocessor or microcalculator 10 is interfaced by data bus 12, address bus 14, and control bus 16 respectively to memory circuits 18, external peripherals 20, and internal resources 22.

The general sequencing of the processor 10 is provided by a clock circuit 24 that includes an oscillator 26 driven by a crystal 28. The ticks of the oscillator 26 feed a timestamp register 30 counting the pulses that will be used to define the rate of the successive CPU cycles of the processor 10 after reduction of the frequency by a divider 32. The content of the timestamp register 30 is an evolutive content, constantly changing with the rhythm of the sequencing clock 24 pulses.

The principle of the invention, schematized in FIG. 2 , consists in reading one or several bits (n bits, with n 1) of the timestamp register 30, and using these n bits to form the N bits of a random number 34 of N bits (N n).

If n<N, the process is reiterated until completion the N bits of the number 34.

It is possible to extract, indifferently, for example one bit (n=1), a nibble (n=4), a byte (n=8), etc., at a time to obtain the N bits of the random number 34, without specific limitation on the number N, and hence on the length of the random number obtained.

However, to maximize the entropy of the process, it is preferred that only one bit (n=1) is extracted, more precisely the least significant bit of the register.

In most microprocessors, the timestamp register is an accessible and searchable register. For example, in Intel™ processors, this timestamp register is a 64-bit register called TSC (TimeStamp Counter), and it can be searched by a low-level instruction RDTCP (Read TSC and Processor ID). This counter can reflect the number of pulses produced by the sequencing clock since the initial reset of the register.

The extracted bit(s) are the least significant bits (LSBs) of the timestamp register, which are bits whose value is deterministic but totally unpredictable at a given time, given the very high clock frequencies of current processors, typically several gigahertz, that is to say that the last bits of the timestamp register are changed several times at each nanosecond.

Now, the time of execution of the register search instruction is itself subject to an unpredictable randomness, which creates randomness on the value of the bit(s) read when this search is effectively carried out. Indeed, the hardware-level architecture of the microcalculators induces irregularities in the sequencing of execution of the micro instructions due to hardware interrupts (external events that trigger the execution of specific software programs and interrupt the execution of other software programs in an imperative way), but also due to the necessary coordination of several cores that execute tasks in parallel.

In addition, above the hardware layer are added several software layers that run themselves with different priority levels and in constant competition with external events and other software programs running at the same time.

It is hence impossible to predict when a particular micro-instruction of an application software will actually be executed, and consequently, to determine in advance the value of the timestamp register bits at that time, especially that of the least significant bits, at the time when the register reading instruction will be actually executed.

FIG. 3 shows a block diagram 100 schematically illustrating the successive steps of the method for obtaining the random number 34 following the receipt (block 110) of a random number generation request:

-   -   a) searching the timestamp register 30 (block 120);     -   b) extracting the n bit(s) from the register (block 130);     -   c) using this or these bits to form the random number (block         140);     -   d) if the random number is not complete (test 150), reiterating         steps 120 to 130; and finally     -   e) providing the random number (block 160) as a response to the         request at step 110.

It should be noted that the just-described method has several particularly significant advantages:

-   -   no addition of hardware element to the preexisting circuits of         the digital processor, because no interaction with the outside         (to use a physical phenomenon) or with the user is necessary;     -   simple and versatile implementation, the timestamp register         existing on all the digital processors;     -   very high degree of entropy; and possibility to obtain very long         random numbers in a very short time.

In practice, the generation method can be implemented at several levels:

-   -   entirely and directly within the processor firmware;     -   from this firmware to feed a higher level application software         layer, thus from the processor to the application layer (which         avoids the difficulties due to the microprocessor access         protections because, in this case, that is the latter that         generates internally and provides the random number); or     -   conversely, from the application layer to the processor, upon         request from the application. Since a high-level application         (User Mode) generally has no privilege to access directly the         processor registers, the implementation can be made at two         levels with i) a module running at a high privilege level to         access the processor registers and ii) a second module         communicating with the first one and interfaced with the         high-level program through a suitable API.

The above-described embodiment, by repeated extractions of n bits from the timestamp register and concatenation of the n successive bits until obtaining the N bits of the random number, may have many alternatives.

These alternatives, which make it possible in particular to further increase the degree of entropy of the random number generated, are not exclusive and may be combined with each other.

A first alternative consists in controlling the issuance of the register reading instruction command under the control of a pseudo-random generator included in the internal software of the processor, which introduces between each reading of the register an unpredictable waiting time.

A second alternative consists in varying the number n and/or the order of the bits extracted from the searched register, also randomly or pseudo-randomly, at each search step. In other words, the value n is in this case itself random instead of being predefined, just as the order in which the n bits (if more than one bit) are used to form the random number.

A third alternative consists, instead of simply copying the n bits extracted to form the N bits of the random number, in using these n bits by changing them, for example by reversing or swapping them according to a random or pseudo-random process, by summing all of them or some of them, etc.

Of note, the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “includes”, and/or “including,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof

As well, the corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Having thus described the invention of the present application in detail and by reference to embodiments thereof, it will be apparent that modifications and variations are possible without departing from the scope of the invention defined in the appended claims as follows: 

1. A random number generation method implemented by means of a digital processor, the method comprising: a) searching an internal timestamp register which counts clock pulses for sequencing the processor; b) extracting at a given time n bits from the least significant bits of the register, n>1; c) using the n bits extracted at step b) as constituent bit(s) of a random number of N bits to be generated; d) reiterating steps a) to c) until obtaining the N bits of the random number; and e) providing the random number to an application circuit or software.
 2. The method of claim 1, wherein the timestamp register is a register counting pulses directly outputted from an oscillator of the clock.
 3. The method of claim 1, wherein steps a) to d) are carried out within a firmware of the processor.
 4. The method of claim 1, wherein the n bits extracted at step b) are the least significant bit(s) of the timestamp register.
 5. The method of claim 4, wherein n=1 and the bit extracted at step b) is the least significant bit of the timestamp register.
 6. The method of claim 1, wherein the given time of extraction of the n bits at step b) is a time controlled by a random or pseudo-random generator.
 7. The method of claim 1, wherein the given time of extraction of the n bits at step b) is a time determined in response to a request received from the application circuit or software. 